How to Conduct Reference Checks with GDPR Compliance

How to Conduct Reference Checks with GDPR Compliance

According to research by Lever, 61% of compliance professionals are “concerned with how GDPR would impact their recruiting and hiring processes, including their methods for sourcing potential candidates.”

Now that GDPR is in place, here’s what you need to be doing to ensure your method of reference checking is compliant.

1. Get candidate consent

As soon as a candidate applies for a role, you must make them aware of every background check you plan to take and gain consent from them to do so.

Of course, if they don’t give consent, you can terminate their application on the grounds that it is a requirement of your recruitment process.

In GDPR terms, consent is:

“Freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing”

2. Make sure the data you collect is of “legitimate interest”

GDPR guidelines outline a number of factors that deem a data gathering process of “legitimate interest”.

You must ensure the information you plan to collect;

• informs a contractual decision
• meets industry compliance
• is in the public's interest

You should also be confident the process itself doesn’t go beyond reasonable privacy expectations. A breach could occur if a reference check includes questions that are personal, discriminatory or have little relation to an individual’s performance.

3. Destroy all unnecessary data

Data destruction is a major focus of GDPR and something that sets it apart from previous data privacy directives.

It requires organisations to keep data only as long as they need to and to delete it securely, completely and with evidence of having done so when necessary.

Candidates’ “right to be forgotten” means they can, at certain times, request that their data be deleted. This includes:

• when the information is no longer required for its intended purpose
• when the individual withdraws their consent

This means you may reasonably be asked to delete the reference checks of unsuccessful candidates. but you should also be considering the necessity of all candidate data you hold and destroying any that could be deemed unnecessary.

4. Will you need to transfer data internationally?

GDPR does not restrict the transfer of data outside of the EU, but it does set boundaries on where and how data can be shared internationally.

Under the regulation, countries are divided into two groups:

• Adequate countries - countries considered to ensure an adequate level of protection for personal data. Data transfers are permitted and legal.
• “Non-adequate” countries - countries considered to offer inadequate levels of protection. International data transfers can only take place where organisations have safeguards for data protection in place.

The European Commission has so far recognised the follow countries as providing adequate protection:

• Andorra
• Argentina
• Canada (commercial organisations)
• Faroe Islands
• Guernsey, Israel
• Isle of Man
• Jersey
• New Zealand
• Switzerland
• Uruguay
• The United States of America (limited to the Privacy Shield framework)

Overseas transfers to “Non-adequate” countries can still be made in some circumstances. In the case of reference checking, this can be done if a candidate has been informed of the potential risks of the transfer and explicitly consents to you progressing with it.

We’re proud to offer the assurance of a fully GDPR compliant online checking platform. If you’d like to understand how Xref’s works, you can learn more here.